Secure Information Flow Based on Data Flow Analysis

Similar documents
Theory of Generalized k-difference Operator and Its Application in Number Theory

Integrating Factor Methods as Exponential Integrators

Solution of Wave Equation by the Method of Separation of Variables Using the Foss Tools Maxima

An Operational Semantics for Weak PSL

Explicit overall risk minimization transductive bound

Asynchronous Control for Coupled Markov Decision Systems

CS 331: Artificial Intelligence Propositional Logic 2. Review of Last Time

Resource Usage Analysis

Converting Z-number to Fuzzy Number using. Fuzzy Expected Value

Networks Based on Tree Semantics Approach

Published in: Proceedings of the Twenty Second Nordic Seminar on Computational Mechanics

MARKOV CHAINS AND MARKOV DECISION THEORY. Contents

Reichenbachian Common Cause Systems

Symbolic models for nonlinear control systems using approximate bisimulation

Algorithms to solve massively under-defined systems of multivariate quadratic equations

T.C. Banwell, S. Galli. {bct, Telcordia Technologies, Inc., 445 South Street, Morristown, NJ 07960, USA

Tracking Control of Multiple Mobile Robots

Approximated MLC shape matrix decomposition with interleaf collision constraint

Iterative Decoding Performance Bounds for LDPC Codes on Noisy Channels

Primal and dual active-set methods for convex quadratic programming

#A48 INTEGERS 12 (2012) ON A COMBINATORIAL CONJECTURE OF TU AND DENG

Expectation-Maximization for Estimating Parameters for a Mixture of Poissons

Aerodynamic Design of Turbine Blades Using an Adjoint Equation Method

STABLE GRAPHS BENJAMIN OYE

SPATIAL pattern formation is central to the understanding

B. Brown, M. Griebel, F.Y. Kuo and I.H. Sloan

A Brief Introduction to Markov Chains and Hidden Markov Models

Structural Control of Probabilistic Boolean Networks and Its Application to Design of Real-Time Pricing Systems

Approximated MLC shape matrix decomposition with interleaf collision constraint

A SIMPLIFIED DESIGN OF MULTIDIMENSIONAL TRANSFER FUNCTION MODELS

A NOTE ON QUASI-STATIONARY DISTRIBUTIONS OF BIRTH-DEATH PROCESSES AND THE SIS LOGISTIC EPIDEMIC

arxiv: v1 [math.co] 17 Dec 2018

A proposed nonparametric mixture density estimation using B-spline functions

On the Goal Value of a Boolean Function

STA 216 Project: Spline Approach to Discrete Survival Analysis

A Comparison Study of the Test for Right Censored and Grouped Data

Global Optimality Principles for Polynomial Optimization Problems over Box or Bivalent Constraints by Separable Polynomial Approximations

Convergence Property of the Iri-Imai Algorithm for Some Smooth Convex Programming Problems

Many-Help-One Problem for Gaussian Sources with a Tree Structure on their Correlation

Research Article Optimal Control of Probabilistic Logic Networks and Its Application to Real-Time Pricing of Electricity

The Incorporation of a Discrete, Dynamic LTC Transformer Model in a Dynamic Power Flow Algorithm

Generalized multigranulation rough sets and optimal granularity selection

Blockchain Abstract Data Type

Math 124B January 31, 2012

Problem set 6 The Perron Frobenius theorem.

Sardinas-Patterson like algorithms in coding theory

Unconditional security of differential phase shift quantum key distribution

Input-to-state stability for a class of Lurie systems

A Novel Learning Method for Elman Neural Network Using Local Search

The graded generalized Fibonacci sequence and Binet formula

Research Article Numerical Range of Two Operators in Semi-Inner Product Spaces

An explicit Jordan Decomposition of Companion matrices

ACTIVE electrical networks, which require energizing sources for their operation, are most widely

<C 2 2. λ 2 l. λ 1 l 1 < C 1

Minimum Enclosing Circle of a Set of Fixed Points and a Mobile Point

A Statistical Framework for Real-time Event Detection in Power Systems

A Step-Indexed Model of Substructural State

Multilayer Kerceptron

C. Fourier Sine Series Overview

Intuitionistic Fuzzy Optimization Technique for Nash Equilibrium Solution of Multi-objective Bi-Matrix Games

A UNIVERSAL METRIC FOR THE CANONICAL BUNDLE OF A HOLOMORPHIC FAMILY OF PROJECTIVE ALGEBRAIC MANIFOLDS

Convergence results for ant routing

Uniprocessor Feasibility of Sporadic Tasks with Constrained Deadlines is Strongly conp-complete

Statistical Learning Theory: A Primer

Structured sparsity for automatic music transcription

(This is a sample cover image for this issue. The actual cover is not yet available at this time.)

A. Distribution of the test statistic

Wave Equation Dirichlet Boundary Conditions

NOISE-INDUCED STABILIZATION OF STOCHASTIC DIFFERENTIAL EQUATIONS

Investigation on spectrum of the adjacency matrix and Laplacian matrix of graph G l

Research of Data Fusion Method of Multi-Sensor Based on Correlation Coefficient of Confidence Distance

Smoothness equivalence properties of univariate subdivision schemes and their projection analogues

Proceedings of the 2012 Winter Simulation Conference C. Laroque, J. Himmelspach, R. Pasupathy, O. Rose, and A. M. Uhrmacher, eds.

PHYS 110B - HW #1 Fall 2005, Solutions by David Pace Equations referenced as Eq. # are from Griffiths Problem statements are paraphrased

BP neural network-based sports performance prediction model applied research

ON DEVIATIONS FROM THE MAXIMUM IN A STOCHASTIC PROCESS. Catherine A. Macken. Howard M. Taylor. June 23, Cornell University

The Group Structure on a Smooth Tropical Cubic

XSAT of linear CNF formulas

Principles of Program Analysis: A Sampler of Approaches

Ensemble Online Clustering through Decentralized Observations

A Cryptographic Proof of Regularity Lemmas: Simpler Unified Proofs and Refined Bounds

CONSISTENT LABELING OF ROTATING MAPS

ON THE POSITIVITY OF SOLUTIONS OF SYSTEMS OF STOCHASTIC PDES

SUPPLEMENTARY MATERIAL TO INNOVATED SCALABLE EFFICIENT ESTIMATION IN ULTRA-LARGE GAUSSIAN GRAPHICAL MODELS

Stochastic Complement Analysis of Multi-Server Threshold Queues. with Hysteresis. Abstract

Appendix of the Paper The Role of No-Arbitrage on Forecasting: Lessons from a Parametric Term Structure Model

Restricted weak type on maximal linear and multilinear integral maps.

K a,k minors in graphs of bounded tree-width *

ODE Homework 2. Since M y N x, the equation is not exact. 2. Determine whether the following equation is exact. If it is exact, M y N x 1 x.

History-Dependent Automata

4 1-D Boundary Value Problems Heat Equation

On generalized quantum Turing machine and its language classes

Crystallisation of a supercooled spherical nodule in a flow

New Efficiency Results for Makespan Cost Sharing

A simple reliability block diagram method for safety integrity verification

Cryptanalysis of PKP: A New Approach

Statistical Learning Theory: a Primer

A Core Calculus for Provenance Inspection

CONSTRUCTION AND APPLICATION BASED ON COMPRESSING DEPICTION IN PROFILE HIDDEN MARKOV MODEL

The influence of temperature of photovoltaic modules on performance of solar power plant

Transcription:

SSN 746-7659, Engand, UK Journa of nformation and Computing Science Vo., No. 4, 007, pp. 5-60 Secure nformation Fow Based on Data Fow Anaysis Jianbo Yao Center of nformation and computer, Zunyi Norma Coege, Zunyi, Guizhou, 56300, China (Received December, 006, accepted 9 Apri 007 Abstract. The static anaysis of secure information fow has been studied for many years. The existing methods tend to be overy conservative or to be overy attention to ocation information eak. This paper uses data fow anaysis to dea with secure information fow. Two variabes of dynamic update security eves were introduced. The program is secure without any variabe of downgrade security eve at exit of a program. The anaysis can dea with more secure programs. The soundness of the anaysis is proved. Keywords: secure information fow, data fow anaysis, static anaysis, forma semantics. ntroduction The static anaysis of secure information fow has been studied for many years[]. The anaysis of secure information fow is that check whether the information fow of a given program is secure. Secure information fow ensures the noninterference, that is, observations of the initia and fina vaues of owsecurity variabes do not provide any information about the initia vaue of high-security variabes. Consider a program whose variabes are partitioned into two disjoint tupes H (secret and L (pubic. The program is secure if examinations of the initia and fina vaues of any L variabe do not give any information about the initia vaues of any H variabe. For exampe, the program H : = L is secure since the vaue of L is independent of initia vaue of H. Simiary, the program L : = 8 is secure, because the fina vaue of L is aways 8, regardess of the initia vaue of H. However, the program L: = H is not insecure since the vaue of H can be observed as the fina vaue of L. the fow of information from H to L is caed expicit. We ca this expicit eak from H to L. The program if H then L : = 0 ese L : = is insecure, despite each branch of the conditiona is secure, H is indirecty copied into L. the fow of information from H to L is caed impicit. We ca this impicit eak from H to L. A secure program may have some ocation information eak. For exampe, in each of four programs L: = H ; L : = 8 H : = L ; L: = H L: = H ; L: = L H if fase then L: = H end athough existing ocation information eak L: = H, the four program are a secure. The existing methods tend to be overy conservative, giving insecure answers to many secure programs, or to be overy attention to ocation information eak, existing ocation information eak does not Pubished by Word Academic Press, Word Academic Union

Journa of nformation and Computing Science, (007 4, pp 5-60 53 impy there is information eak in a program. n this paper, the data fow anaysis is used to dea with secure information fow. The anaysis proposed in this paper is more precise than the existing syntactic approaches. However, since the anaysis is syntactic in nature, it cannot be as precise as the Joshi-Leino s and Sabefed-Sands semantic approaches [6,7] or, Darvas-Hahne-Sands theorem proving approach. [8] The rest of the paper is organized as foows: Section informay describes the probem of secure information fow using some simpe exampes. Section 3 presents the syntax and semantics of Whie anguage. Section 4 expains how to construct the fow graph and then shows data fow equations for detecting information eaks. Section 5 proves the soundness of the anaysis. Section 6 concudes. The Denning-Denning s origina method[9], the Mizuno-Schmidt s data fow anaysis[] and the Vopano-Smith s type-system a assert that above four programs are insecure. Doh-Shin s data fow anaysis caim that it can sove the probem of program and program, but in fact, it ony can sove the secure probem of program. Our anaysis in the paper certifies that above four programs are a secure[6].. Syntax and Semantics n this paper, we sha consider an imperative anguage core[0], Whie. n order to identify statements and tests in a Whie program, we give a unique abe to each of the assignments, skip statements, and tests. Syntax Domain: a AExp arithmetic expressions b BExp Booean expressions S Stmt statements x Var variabes Lab abes Abstract Syntax: S = [x:=a] [skip] S ;S if [b] then S ese S whie [b] do S Configurations and Transitions: A state is defined as a mapping from variabes to integers: State = Var Z A configuration of the semantics is either a pair S, or, where S Stmt and State. A termina configuration consists ony of a state. The transition of the semantics shows how the configuration is changed by one step of computation and is represented as one of the foowings: S, and S, S, For arithmetic and Booean expressions, a and b, we assume that the semantic functions are defined as foows: A : AExp State Z B : BExp State T where Z is the set of integers and T is the set of truth vaues. Structura Operationa Semantics: [ ass ] [ x: = a], [ x A a ] [ skip ] [ ], skip [ seq ] S, S, S ; S, S ; S, JC emai for subscription: pubishing@wau.org.uk

54 J. Yao: Secure nformation Fow Based on Data Fow Anaysis [ ] [ ] [ ] [ seq ] S, S ; S, S, if if [b] then S ese S, S,, if B b = true if if [b] then S ese S, S,, if B b = fase wh whie [b] do S, S; whie [b] do S,, if B b = true [ ] 3. Secure nformation Fow Anaysis wh whie [b] do S,, if B b = fase n this section, we use the data fow anaysis to dea with secure information fow[3,]. We first define the suitabe fow graph of Whie programs, and then formuate data fow equations for the anaysis. 3.. The Fow Graph The fow graph is defined in the stye of Nieson-Nieson-Hankin s book[8]. n order to anaysis the secure information fow, we need expicity add to the fow graph an impicit fow from a test bock to each statement bock in the conditiona branch or in the whie-oop body, in addition to the norma contro fow. A fow graph consists of the set of eementary bocks and the set of (contro and impicitfows between bocks. More formay, the fow graph for a Whie statement S is defined to be a quintupe: fowgraph(s = (bock(s, fow(s, fow (S, init(s, fina(s where each of the functions are defined beow. Let Bocks be the set of eementary bocks of form [ x : = a],[ skip ] or [ ] function bocks finds the set of eementary bocks in a given statement: bocks : Stmt P( Bocks bocks ( if [ ] then S ([ : ] = = [ : = ] ([ ] = {[ ]} bocks x a x a bocks skip skip (, = bocks S S bocks S bocks S b ese S = [ ] bocks ( whie [ b ] do S = [ ] { b } bocks ( S bocks ( S { b } bocks( S b where Lab. Then the A fow graph aways has a singe, but it may have mutipe exits due to conditiona statements. Thus the function init returns the initia abe of a give statement: init : Stmt Lab ([ : ] ([ ] init x = a = init skip = init( S ; S = init( S init ( if [ ] b then S ese S = init ( whie [ ] b do S = The function fina returns the set of fina abes of a given statement: fina : Stmt P( Lab JC emai for contribution: editor@jic.org.uk

Journa of nformation and Computing Science, (007 4, pp 5-60 55 ([ : = ] = {} ([ ] = {} fina x a fina skip fina S ; S = fina( S fina ( if [ b] then S ese S = fina ( S fina ( whie [ b ] do S = { } fina( S The function fow returns contro fows between bocks in a given statement: fow: Stmt P( Lab Lab ([ : ] ([ ] fow x = a = φ fow skip = φ { ( ( } {} { } ( ; = ( ( (, ( fow S S fow S fow S init S fina S fow ( if [ ] then S fow( S fow( S, init S,, init S b ese S = fow ( whie [ ] do S = fow( S, init S, fina S b The function fow defines the impicit fows in a given statement: fow : Stmt P( Lab Lab fow x = a = φ ([ : ] ([ ] fow skip = φ fow S ; S = fow ( S fow ( S fow ( if [ b ] then S ese S = { } { } { } fow ( S fow ( S, B bocks( S, B bocks( S fow ( whie [ do S = fow ( S, B bocks( S For exampe, consider the Power program: we have b ] 4 3 [ z: = ] ; whie[ x> 0 ] do [ z: = z y] ;[ x: = x ] = (,,,, fowgraph Power bocks S fow S fow S init S fina S = ( [ z: = ],[ x> 0 ],[ z: = z y] 3,[ x: = x ] 4, { },3,, 4,,{ },,,3,3,4,4,, 3.. The Anaysis Assume information ony have two security eves H and L. Each variabe x in a program is initiay bound to a security eve, which is denoted by underine, x. x denotes a L variabe x which security eve is upgrade after coping s H variabe to a L variabe x; x denotes a H variabe x which security eve is JC emai for subscription: pubishing@wau.org.uk

56 J. Yao: Secure nformation Fow Based on Data Fow Anaysis downgrade after coping L variabe to a H variabe x. x denotes a impicit H variabe when x is a H variabe in test bocks. The anaysis is defined as foow: where where where ( { } gen : B ocks P x, x, x : L L ([ : = ] = { },{ } gen x a x x,φ { < } { x z FV ( a, z : =, x, x < y } { x y { x}, x: = y, x < y} { x } = { x x = H; y FV( a, y = L, y { x }} ([ : ] genl x = a = ( φφφ,, if never execute [ x : = a] genl ([ skip] = ( φ, φφ, genl ([ b] = ( φφ,,{ x } { x } = x y FV( a, y { x }, x y y z { x} = x x FV( b, x = H, x { x } { x y FV( a, y: = x, x = H} kil : Bocks P( { x },{ x },{ x } : nformation Low Equations: L = : L ([ : = ] = { },{ } ki x a x x,φ x = { x y FV( a, y = H y x } ([ : = ] = ( φφφ,, if never execute [ : = ] kil ([ skip] = ( φ, φφ, kil ([ b] = ( φ, φφ, { x } = x y FV( a, y = L ( y H L ki x a x a ( φφφ,, if ( = init S L ( = x x x, otherwise ( { (,, { } ( fow( S fow ( S ( } ({ x} \{ x} { x} ki gen ( L = x \ x x, x \ x x, exit Exampe.Consider the foowing program: ki gen ki gen JC emai for contribution: editor@jic.org.uk

Journa of nformation and Computing Science, (007 4, pp 5-60 57 [ ] [ ] x: = y ; x: = z, where y = H and x=z=l. L ( = ( φ, φφ, ( φ φ ( φ φ L x,, exit ( = { } = { } L x,, Lexit ( = ( φ, φφ, x is kied at the exit of bock, at the termination of the program, x=z=l is not reation with y= H. Thus the program is secure. Exampe.Consider the foowing program: [ ] [ ] y: = x ; x: = y, where y = H and x=l. L Lexit L Lexit ( = ( φ, φφ, ( φ ( φ ( φ ( = φ, { x }, = φ { x } ( = φ, { x },,, at the termination of the program, x=l is not reation with y= H. Thus the program is secure. Exampe 3.Consider the foowing program: [ ] [ ] x : = y ; x: = x y, where x = L and y: = H. L ( = ( φ, φφ, ( φ φ ( φ φ L x,, exit ( = { } = { } L x,, Lexit ( = ( φ, φφ, at the termination of the program, x=l is not reation with y= H. Thus the program is secure. Exampe 4.Consider the foowing program: [ ] [ ] if fase then x : = y end, where x=l and y = H L Lexit L Lexit ( = ( φ, φφ, ( = ( φ, φφ, ( = ( φ, φφ, ( = ( φ, φφ, at the termination of the program, x=l is not reation with y= H. Thus the program is secure. 4. The Soundness as Noninterference n this section, we prove that the anaysis is sound by proving our anaysis noninterference property[]. Theorem. Given a Whie program S, for each bock B bocks( S, we et JC emai for subscription: pubishing@wau.org.uk

58 J. Yao: Secure nformation Fow Based on Data Fow Anaysis ( ( = { },{ }, L x x x ( = { },{ }, L x x x exit exit exit exit N( is the set of a variabes having L vaues at the of bock having L vaues at the of bock and ( ( B. ( = {, = } \{ } \{ } { } X ( = { x x Var, x = L} \{ x } { x } N x x Var x L x x x if S, S, and then there exists N init S ( such that S, S, and, and N init S ( B, X ( is the set of a variabes ( N init S if S, and then there exists such that S, and N init S ( Proof: The proof is by induction on the shape of the inference tree used to estabish S,, respectivey. The case [ ass ]. Then [ : ], x = a x A a, and we have { x } = { x } \{ x } { x } exit ki gen = { x } \{ x } { x y FV ( a, y { x }, x < y } ki { x z FV ( a, z : = y, z { x }, x < y } { x y x, x: = y, x < y} { x } = { x } \{ x } { x } exit ki gen = { x } \{ x } x x = H ; y FV ( a, y = L, y { x } Since information fow is secure, this is { x Therefore, we have and thus ki } exit = φ, then { x } = φ. Thus we get gen,, y FV a y x y = L z FV a y x y = L { x } = φ = { } gen X N x N A a = A a ( impies because the vaue of a is ony affected by the L variabes occurring in it. Taking = x A a we have that ( x = ( x and thus ( x ( ( x X as required. S, S, JC emai for contribution: editor@jic.org.uk

Journa of nformation and Computing Science, (007 4, pp 5-60 59 The case [ skip ]. Then [ ], and we take to be. skip, we have = N X The case [ seq ]. Then by the induction hypothesis, because ( x ( ( x N init S ( x ( x, Since init ( S ; S init ( S init S ; S = init S N init S ( = and ( ( concude: ( x N( init( S ; S ( x impies ( x and where The case [ seq ]. Simiar to The cass [ ] The case [ Hence, we have Hence, we have ]. Then seq. x. N( init( S ; S if b then S ese S,, because if [ ] S N x x Var x L x x x ( [ ] b =, = \ \ then S and S init if init = {, = } \{ } \ S { } \{ } { } N x x Var x L x x x b x { x ( b } = { x y FV( b, y: = x, x = H} N init [ ] init S The case [ if ]. Simiar to The cass [ if ]. The case [ wh ]. Simiar to The cass [ if ]. N ( if b then S ese S ( x N( init( S ( x impies, we can immediatey This competes the proof. Finay, we have an important coroary which states that noninterference is preserved throughout the execution of the entire program. Coroary : Under the same assumption as Theorem. then ( (not yet terminated programs ( (terminated programs 5. Concusion if S, S, and then there exists N init S ( such that S, S, and, and N init S ( ( N init S if S, and then there exists such that S, and for some fina S. N ( This paper uses data fow anaysis to dea with secure information fow. The anaysis proposed in this paper is more precise than the existing syntactic approaches. The anaysis is proved to be sound by proving JC emai for subscription: pubishing@wau.org.uk

60 J. Yao: Secure nformation Fow Based on Data Fow Anaysis our anaysis noninterference property. 6. References [] A. Sabefed and A. C. Myers. Language-based information-fow security. EEE J. Seected Areas in Communication, 003, (. [] Dennis Vopano, Geoffrey Smith. A Type-Based Approach to Program Security. Proceeding of TAPSOFT 97, cooquium on Forma Approaches in Software Engineering, Lie France, 4-8 Apri, 997. [3] Dennis Vopano, Geoffrey Smith, Cynthia rvine. A Sound Type System for Secure Fow Anaysis. Journa of computer security. 996, 9. [4] M. Mizuno and D. A. Schmidt. A security fow contro agorithm and its denotationa semantics correctness proof. Forma Aspects of Computing, 99, 4: 7-754. [5] Kyung-Goo Doh and Seung Cheo Shin. Data Fow Anaysis of Secure nformation-fow. ACM SGPLAN Notices. 00, 37(8. [6] R. Joshi and K. R. M. Leino. A semantic approach to secure information fow. Science of Computer Programming, 000, 37: 3-38. [7] A.Sabefed and D. Sands. A per mode of secure information fow in sequentia programs. Higher-Order and Symboic Computations, 00, 4: 59-9. [8] A. Darvas, R.Hahne and D. Sands. A Theorem Proving Approach Anaysis of Secure nformation Fow. Technica Report, no. 004-0. [9] D. Denning, P. Denning. Certification of Programs for Secure nformation Fow. Communications of the ACM, 977, 0(7: 504-53. [0] Hanne Riis Nieson and Femming Nieson. Semantics with Appications a Forma ntroduction. Juy, 999. [] F. Nieson, H. R. Nieson and C. Hankin. Principes if Program Anaysis. Springer.999. JC emai for contribution: editor@jic.org.uk

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback